google_billing_budget cannot be used under user authority.

[JSteeleIR]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.0

• provider registry.terraform.io/hashicorp/archive v2.0.0
• provider registry.terraform.io/hashicorp/google v3.49.0
• provider registry.terraform.io/hashicorp/google-beta v3.49.0

Affected Resource(s)

• google_billing_budget

Terraform Configuration Files

provider "google-beta" {
  project = "REDACTED_PROJECT_ID"
  region = "us-central1"
}

provider "google" {
  project = "REDACTED_PROJECT_ID"
  region = "us-central1"
}

resource "google_project_service" "billing" {
  service = "cloudbilling.googleapis.com"
}

resource "google_project_service" "billingbudgets" {
  service = "billingbudgets.googleapis.com"
}

resource "google_billing_budget" "enforce_billing_budgets" {
  provider = google-beta

  billing_account = "REDACTED-BILLING-ACCOUNT-ID"
  display_name = "Enforcement Budget for Account: REDACTED-BILLING-ACCOUNT-ID"
  amount {
    specified_amount {
      currency_code = "USD"
      units = 100
    }
  }

  threshold_rules {
    # Alert at 75% Enforcement budget
    threshold_percent = 0.75
  }

  threshold_rules {
    # Alert at projected 100% Enforcement budget
    threshold_percent = 1.0
    spend_basis = "FORECASTED_SPEND"
  }

  threshold_rules {
    # Alert at 100% Enforcement budget
    threshold_percent = 1.0
  }
}

Debug Output

https://gist.github.com/JSteeleIR/445dbc6af5a3841a320a133ca082cf99

Expected Behavior

Terraform/google_billing_budget creates a billing budget on the specified account.

Actual Behavior

Terraform dies with the following error:

Error: Error creating Budget: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the billingbudgets.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/REDACTED",
      "service": "billingbudgets.googleapis.com"
    },
    "reason": "SERVICE_DISABLED"
  }
2020-12-05T16:45:20.663-0700 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
]

Steps to Reproduce

1. Replace redacted values w/ project_id and billing-account-ID for project/account user has admin over.
2. gcloud auth login (obtain end-user credentials)
3. terraform apply

Important Factoids

Requiring a user to create/impersonate a service account and export the Service Account Key (or launch a GCE instance) to enable Terraform to configure Cloud BIlling Budget is non-trivially complex, and seems excessive for the desired goal.

This limitation also forces users into a less-secure configuration, especially if the requisite service account has to be granted permissions to administer billing accounts. The resources involved in the additional attack surface (the exported service account key, or the GCE instance) are historically misplaced/misconfigured. A user attempting to use Terraform to configure billing limits may accidentally expose their project/billing account to abuse in the process of meeting these additional requirements.

[edwardmedia]

@JSteeleIR the error message seems clear about what is wrong, and below is what recommended. You may also check if you can follow the steps to resolve the issue

 using a service account through the auth/impersonate_service_account setting

[JSteeleIR]

I can confirm, impersonating a service account does appear to work. From the terraform/google-provider perspective, I guess this is a non-issue.

We might want to file a bug with the Budget API team, though. I think this restriction is something that should be addressed on their side. I can think of no logical reason this API should be inaccessible from EUCs, and I think that restriction does force less-secure configurations.

[edwardmedia]

@JSteeleIR I am glad you have found the solution. Closing the issue then. Feel free to reopen if you need further discussion regarding the provider.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!